SRX340: groups { node0 { system { host-name fw01; } } node1 { system { host-name fw02; } } } apply-groups "${node}"; system { login { user admin { uid 2000; class super-user; authentication { encrypted-password "$6$mNI4b2sT$gZq9FGH1Nd8fH7EAHiY9ATwYgFEfG8Q58rUZWYz3KudA5tY6XgmaxJaPaFZocuC7LeOK9mXGbcJxFyVD9azQX0"; ## SECRET-DATA } } message "\n\n\n\tUNAUTHORIZED USE OF THIS FiREWALL\n\tIS STRICTLY PROHIBITED!\n\n\tPlease contact '\dvm.support@dr.com\' to gain\naccess to this equipment if you need authorization.\n\n\n"; } root-authentication { encrypted-password "$5$Bk25QSUt$gJcuGj28xFicP81cFrlqgRrj567889900h4j5/xPr2ISfq4bpyvIC"; ## SECRET-DATA } services { ssh { tcp-forwarding; protocol-version v2; } xnm-clear-text; web-management { http; https { system-generated-certificate; } } } time-zone UTC; default-address-selection; no-redirects; ports { console { authentication-order password; log-out-on-disconnect; } } name-server { 8.8.8.8; } } chassis { aggregated-devices { ethernet { device-count 10; } } cluster { reth-count 2; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; } } } security { nat { source { rule-set otapplication-to-internet { from zone ot-application; to zone untrust; rule internet-access { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool AP-R-01_pool { address 172.22.1.4/21 port 655; } rule-set internet { from zone untrust; rule tinc_655_to_AP-R-01 { match { source-address 0.0.0.0/0; destination-address 192.168.150.30/30; destination-port { 655; } } then { destination-nat { pool { AP-R-01_pool; } } } } rule 2_tinc_655_to_AP-R-01 { match { source-address 0.0.0.0/0; destination-address 192.168.250.30/30; destination-port { 655; } } then { destination-nat { pool { AP-R-01_pool; } } } } rule publicip_10_200_5_81 { match { source-address 0.0.0.0/0; destination-address 10.200.5.81/29; destination-port { 655; } } then { destination-nat { pool { AP-R-01_pool; } } } } } } } policies { from-zone trust to-zone untrust { policy any-to-any { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy allow_ssh_https { match { source-address any; destination-address any; application [ junos-ssh junos-http junos-https]; } then { permit; } } } from-zone application to-zone untrust { policy AP-application-to-Untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone application { policy allow_tinc_traffic_services { match { source-address any; destination-address AP-R-01; application [ junos-ssh junos-http junos-https ]; } then { permit; } } } from-zone ot-application to-zone untrust { policy OT-application-to-Untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { address-book { address office-1 x.x.x.x/29; address office-2 x.x.x.x/27; address office-3 x.x.x.x/32; address office-4 x.x.x.x/32; address office-5 x.x.x.x/29; address-set offices { address office-1; address office-2; address office-3; address office-4; address office-5; } } host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/7.1409; ge-5/0/7.2409; } } security-zone management-network { interfaces { reth1.60 { host-inbound-traffic { system-services { ping; ssh; } } } } } security-zone idrac { interfaces { reth1.10 { host-inbound-traffic { system-services { ping; } } } } } security-zone application { address-book { address AP-R-01 172.22.1.4/32; } interfaces { reth1.20 { host-inbound-traffic { system-services { all; } } } } } security-zone trust { host-inbound-traffic { system-services { all; } } interfaces { reth0.100; } } security-zone ot-application { interfaces { reth1.30 { host-inbound-traffic { system-services { all; } } } } } } interfaces { ge-0/0/2 { description "sw01 ge-0/0/0"; gigether-options { redundant-parent reth1; } } ge-0/0/3 { description "sw02 ge-1/0/0"; gigether-options { redundant-parent reth1; } } ge-0/0/4 { description "sw01 ge-0/0/46 - internet"; gigether-options { redundant-parent reth0; } } ge-0/0/7 { description "ISP-router-01 - cable ID 3611"; vlan-tagging; unit 1409 { vlan-id 1409; family inet { address 192.168.150.30/30; } family inet6 { address 2a00:1830:0:1:40::c0a9:7c1f/126; } } } ge-5/0/2 { description "sw03 ge-2/0/0"; gigether-options { redundant-parent reth1; } } ge-5/0/3 { description "sw04 ge-3/0/0"; gigether-options { redundant-parent reth1; } } ge-5/0/4 { description "sw03 ge-2/0/46 - internet"; gigether-options { redundant-parent reth0; } } ge-5/0/7 { description "ISP.net-router-02 - cable ID 3711"; vlan-tagging; unit 2409 { vlan-id 2409; family inet { address 192.168.250.30/30; } family inet6 { address 2a00:1730:0:1:40::c0a9:e02f/126; } } } fab0 { fabric-options { member-interfaces { ge-0/0/0; } } } fab1 { fabric-options { member-interfaces { ge-5/0/0; } } } lo0 { unit 0 { family inet { filter { input protect-re; } } family inet6 { filter { input protect-re6; } } } } reth0 { description "switch - internet"; vlan-tagging; redundant-ether-options { redundancy-group 1; lacp { active; periodic slow; } } unit 100 { description "public ip-range"; vlan-id 100; family inet { address 10.200.5.81/29 { primary; preferred; } } } } reth1 { description switch; vlan-tagging; redundant-ether-options { redundancy-group 1; lacp { active; periodic slow; } } unit 10 { description "idrac vlan 10"; vlan-id 10; family inet { address 172.22.0.1/26; } } unit 20 { description "AP-application vlan 20"; vlan-id 20; family inet { address 172.22.1.1/21; } unit 30 { description "OT-application vlan 30"; vlan-id 30; family inet { address 172.22.2.1/24; } unit 60 { description "mgmt vlan 60"; vlan-id 60; family inet { address 172.22.3.1/27 { primary; } } } } } policy-options { prefix-list offices { x.x.x.x/29; x.x.x.x/27; x.x.x.x/32; x.x.x.x/29; x.x.x.x/32; } prefix-list ISP.net { x.x.x.x/27; x.x.x.x/32; } prefix-list internal { 172.22.3.0/27; } prefix-list nameserver-addresses { apply-path "system name-server <*>"; } prefix-list ntp-addresses { apply-path "system ntp server <*>"; } policy-statement load-sharing-per-packet { then { load-balance per-packet; } } } firewall { family inet { filter protect-re { term established-tcp-v4 { from { protocol tcp; tcp-established; } then accept; } term icmp-v4 { from { protocol icmp; icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ]; } then accept; } term udp-traceroute-v4 { from { protocol udp; destination-port 33434-33523; } then accept; } term dns-v4 { from { source-prefix-list { nameserver-addresses; } protocol udp; source-port 53; } then accept; } term ntp-v4 { from { source-prefix-list { ntp-addresses; } protocol udp; source-port 123; } then accept; } term ssh { from { source-prefix-list { offices; ISP.net; internal; } protocol tcp; destination-port ssh; } then accept; } term discard-the-rest-v4 { then { discard; } } } } family inet6 { filter protect-re6 { term deny-all { then discard; } } } } protocols { lldp { interface all; } } routing-options { rib inet.0 { static { route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ]; } } rib inet6.0 { static { route ::0/0 next-hop [ 2a00:1830:0:1:40::c0a9:7c1f/126 2a00:1730:0:1:40::c0a9:e02f/126 ]; } } forwarding-table { export load-sharing-per-packet; } } {primary:node0}